In one embodiment, a method includes receiving data at a virtual switch located at a network device in a cloud network. The data is received from an external network and destined for one or more virtual machines located in the cloud network and associated with the external network. The method further includes transmitting the data from the virtual switch to the virtual machines. The virtual switch operates as an access layer switch for the external network and creates a virtual switching overlay for secure communication between the virtual machines and the external network. Logic and an apparatus are also disclosed.
|
9. Logic encoded in one or more tangible non-transitory media for execution and when executed operable to:
switch data between virtual machines located in a cloud network;
forward data to an external network;
perform access layer switch operations for the external network; and
create a virtual switching overlay for secure communication of said data between the virtual machines and the external network.
15. An apparatus comprising
means for receiving data at a virtual switch in a cloud network, said data received from an external network and destined for one or more virtual machines located in the cloud network and associated with the external network; and
means for transmitting said data from the virtual switch to said one or more virtual machines;
wherein the virtual switch operates as an access layer switch for the external network and creates a virtual switching overlay for secure communication between the virtual machines and the external network.
1. A method comprising:
receiving data at a virtual switch located at a network device in a cloud network, said data received from an external network and destined for one or more virtual machines located in the cloud network and associated with the external network; and
transmitting said data from the virtual switch to said one or more virtual machines;
wherein the virtual switch operates as an access layer switch for the external network and creates a virtual switching overlay for secure communication between the virtual machines and the external network.
0. 51. A system comprising:
a first data center associated with an enterprise; and
a second data center that includes a virtual switch and one or more virtual machines in a cloud network associated with the enterprise;
wherein the virtual switch is configured to:
receive data from the first data center and destined for the one or more virtual machines; and
operate as an access layer switch for the first data center and create a virtual switching overlay for secure communication between the one or more virtual machines and the first data center by encapsulating said data for transmission to said one or more virtual machines.
2. The method of
3. The method of
4. The method of
5. The method of
6. The method of
7. The method of
8. The method of
10. The logic of
11. The logic of
12. The logic of
13. The logic of
14. The logic of
16. The apparatus of
17. The apparatus of
18. The apparatus of
19. The apparatus of
20. The apparatus of
0. 21. The method of claim 1, wherein data transmitted between the virtual switch and the external network is transmitted via secure tunnel communication.
0. 22. The method of claim 1, wherein data transmitted between the virtual switch and the one or more virtual machines is encapsulated.
0. 23. The method of claim 22, wherein the one or more virtual machines and the external network are part of a single overlay network.
0. 24. The method of claim 1, wherein the cloud network is in a first datacenter and the external network is in a second datacenter.
0. 25. The method of claim 1, wherein the virtual switch is located in one of the one or more virtual machines located in the cloud network.
0. 26. The method of claim 1, further comprising creating an additional virtual switch in response to a limit of the virtual switch being reached.
0. 27. The method of claim 1, further comprising associating one or more agents with said one or more virtual machines.
0. 28. The method of claim 27, wherein transmitting said data comprises transmitting said data over a secure connection to one of the one or more agents associated with one of said one or more virtual machines.
0. 29. The method of claim 1, wherein each of the one or more virtual machines has a set of policies and/or attributes that are applied as the virtual machine comes online in the cloud network.
0. 30. The method of claim 1, wherein the virtual switch further comprises a virtual supervisor module that provides control plane functionality.
0. 31. The method of claim 1, wherein the virtual switch comprises a virtual Ethernet module that operates as a data plane.
0. 32. The method of claim 1, wherein the virtual switch is connected to a central management station.
0. 33. The method of claim 32, further comprising:
accessing and performing management functions on the virtual switch.
0. 34. The method of claim 1, wherein the virtual switch comprises a virtual supervisor module and a virtual Ethernet module.
0. 35. The logic of claim 9, wherein data forwarded to the external network is transmitted via secure tunnel communication.
0. 36. The logic of claim 9, wherein the cloud network is in a first datacenter and the external network is in a second datacenter.
0. 37. The logic of claim 9, wherein each of the virtual machines has a set of policies and/or attributes that are applied as the virtual machine comes online in the cloud network.
0. 38. The apparatus of claim 15, wherein data transmitted between the virtual switch from the external network is transmitted via secure tunnel communication.
0. 39. The apparatus of claim 38, wherein data transmitted between the virtual switch and the one or more virtual machines is encapsulated.
0. 40. The apparatus of claim 39, wherein the one or more virtual machines and the external network are part of a single overlay network.
0. 41. The apparatus of claim 15, wherein the cloud network is in a first datacenter and the external network is in a second datacenter.
0. 42. The apparatus of claim 15, wherein the virtual switch is located in a virtual machine located in the cloud network.
0. 43. The apparatus of claim 15, wherein an additional virtual switch is created in response to a limit of the virtual switch being reached.
0. 44. The apparatus of claim 15, wherein one or more agents are associated with said one or more virtual machines.
0. 45. The apparatus of claim 44, wherein the means for transmitting said data causes transmission of said data over a secure connection to one of the one or more agents associated with one of said one or more virtual machines.
0. 46. The apparatus of claim 15, wherein each of the one or more virtual machines has a set of policies and/or attributes that are applied as the virtual machine comes online in the cloud network.
0. 47. The apparatus of claim 15, wherein the virtual switch comprises a virtual supervisor module that provides control plane functionality.
0. 48. The apparatus of claim 15, wherein the virtual switch comprises a virtual Ethernet module that operates as a data plane.
0. 49. The apparatus of claim 15, wherein the virtual switch is connected to a central management station.
0. 50. The apparatus of claim 49, wherein the virtual switch is configured to enable access by an administrator to perform management functions on the virtual switch.
0. 52. The system of claim 51, wherein data transmitted between the virtual switch and the first data center is transmitted via secure tunnel communication.
0. 53. The system of claim 51, wherein the one or more virtual machines and the first data center are part of a single overlay network.
0. 54. The system of claim 51, wherein the virtual switch is located in one of the one or more virtual machines located in the second data center.
0. 55. The system of claim 51, further comprising an additional virtual switch that is created in response to a limit of the virtual switch being reached.
0. 56. The system of claim 51, further comprising one or more agents associated with the one or more virtual machines.
0. 57. The system of claim 56, wherein the virtual switch is configured to transmit said data over a secure connection to one of the one or more agents associated with one of said one or more virtual machines.
0. 58. The system of claim 51, wherein each of the one or more virtual machines has a set of policies and/or attributes that are applied as the virtual machine comes online in the second data center.
0. 59. The system of claim 51, wherein the virtual switch further comprises a virtual supervisor module that provides control plane functionality.
0. 60. The system of claim 51, wherein the virtual switch comprises a virtual Ethernet module that operates as a data plane.
0. 61. The system of claim 51, further comprising a central management station that is in communication with the virtual switch.
0. 62. The system of claim 61, wherein the central management station is configured to access and perform management functions on the virtual switch.
0. 63. The system of claim 51, wherein the virtual switch comprises a virtual supervisor module and a virtual Ethernet module.
|
The present disclosure relates generally to communication networks, and more particularly, to cloud computing.
The number of applications and amount of data in enterprise data centers continue to grow. Cloud computing is being proposed as one possibility to meet the increasing demands. Cloud computing enables network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort. Infrastructure as a Service (IaaS) is one area of cloud computing that has attracted a lot of interest. IaaS delivers computer infrastructure, typically a platform virtualization environment, as a service. Rather than purchasing servers, software, data center space, or network equipment, customers instead purchase these resources as an outsourced service. Most IaaS providers do not disclose how their infrastructures are handled internally since they often view this as their competitive advantage. As a result, the enterprise has no visibility into the infrastructure within the cloud and is left with no assurance of security, reliability, or visibility. Even if the provider discloses how their internal operations are implemented, there is still no way for the enterprise to monitor or verify the infrastructure.
Corresponding reference characters indicate corresponding parts throughout the several views of the drawings.
Overview
In one embodiment, a method generally comprises receiving data at a virtual switch located at a network device in a cloud network. The data is received from an external network and destined for one or more virtual machines located in the cloud network and associated with the external network. The method further includes transmitting the data from the virtual switch to the virtual machine. The virtual switch operates as an access layer switch for the external network and creates a virtual switching overlay for secure communication between the virtual machines and the external network.
In another embodiment, logic is encoded in one or more tangible media for execution and when executed operable to switch data between virtual machines located in a cloud network, forward data to an external network, perform access layer switch operations for the external network, and create a virtual switching overlay for secure communication between the virtual machines and the external network.
Example Embodiments
The following description is presented to enable one of ordinary skill in the art to make and use the embodiments. Descriptions of specific embodiments and applications are provided only as examples and various modifications will be readily apparent to those skilled in the art. The general principles described herein may be applied to other applications without departing from the scope of the embodiments. Thus, the embodiments are not to be limited to the embodiments shown, but are to be accorded the widest scope consistent with the principles and features described herein. For purpose of clarity, features relating to technical material that is known in the technical fields related to the embodiments have not been described in detail.
Cloud computing is a model that provides resources and services that are abstracted from an underlying infrastructure and provided on demand and at scale in a multi-tenant environment. The clouds are typically accessed through web browsers or APIs (Application Programming Interfaces) and offer nearly unlimited capacity on demand, but with limited customer control. One area of cloud computing is Infrastructure as a service (IaaS), in which computing, network, and storage services are delivered over the network on a pay-as-you-go basis. A popular offering within IaaS is the Virtual Private Cloud (VPC). The VPC is hosted on a public cloud; therefore, it is not truly a private cloud. The VPC includes a set of Virtual Machines (VMs) and networks that are connected to the enterprise and appear to be part of the enterprise (i.e., associated with the enterprise network). With conventional implementations of virtual private clouds, there are concerns about security, reliability, and visibility. The network administrator has to extend the enterprise network into an insecure environment and therefore loses visibility into what is happening within the cloud, and control over security and enterprise-class features. Also, there is no consistent interface between all of the various cloud providers. Enterprises desire security, service-level guarantees, and compliance control, but with virtual private clouds, the service providers are in control of these requisite capabilities. These drawbacks prevent many enterprises from adopting cloud computing.
The embodiments described herein address the above needs within the cloud computing environment. The embodiments provide a virtual switching overlay on top of the cloud infrastructure. This allows the network administrator to regain control of the network access layer within the virtual private cloud and provides full visibility into the cloud, secure communication within the cloud and from the cloud to the enterprise, and an interface to the cloud network that is independent of the service provider.
Referring now to the drawings, and first to
The network 10 shown in
The VPC 20 includes a plurality of servers 40 which utilize virtualization technology. Virtualization allows one computer to do the job of multiple computers by sharing the resources of a single computer across multiple systems. Software is used to virtualize hardware resources of a computer, including, for example, the CPU, RAM, hard disk, and network controller, to create a virtual machine that can run its own operating system and applications. Multiple virtual machines on each server share hardware resources without interfering with each other so that several operating systems and applications can be run at the same time. The virtual machines are deployed within the cloud on demand with the IP addresses of the VMs controlled by the enterprise.
As described in detail below, a virtual switch 34 is located in the VPC 20 to provide a virtual switching overlay 18 on top of the cloud. The virtual switch 34 operates as an access layer switch for the customer so that the customer has control of the cloud network access layer.
The virtual switch 34 transmits data received from the enterprise 12 to virtual machines 30 located within the VPC 20 via encrypted links (virtual secure wires) 48. The VPC data center 20 may also include more than one virtual switch 34 with an encrypted link between the virtual switches. L2TPv3 over IPsec may be used to encrypt packets transmitted between the virtual switch 34 and virtual machines 30. It is to be understood that L2TPv3 over IPsec is only one example and that other protocols may be used to transfer data between the virtual switch 34 and virtual machines 30.
In one embodiment, each virtual machine 30 includes an agent 32. The agent 32 may be a VPN client, for example, or other application loaded in the virtual machine 30 by an enterprise server/application administrator. The agent 32 contains the IP address assigned by the service provider and port profile names. A port profile is used to define a common set of configuration policies (attributes) for multiple interfaces. The port profiles are associated with port configuration policies defined by the network administrator and applied to a large number of ports as they come online in a virtual environment.
The VPN connection 22 may be used to signal VM MAC addresses back to the enterprise 12 to prevent flooding across the VPN connection 22. Since traffic leaving the virtual private cloud 20 is often billed by the provider, stopping floods can reduce costs. The virtual switch 36 at the enterprise may also proxy ARP (Address Resolution Protocol) requests on behalf of the VMs 30 within the VPC 20. As shown in
The servers 40 are in communication with the network via switches 52, 54, (e.g., hardware implemented network switches or other network devices configured to perform switching or routing functions). The switches 52, 54 may be in communication with a management station 56 (e.g., virtualization management platform such as VMware Virtual Center management station, available from VMware of Palo Alto, Calif.). The management station 56 or one or more management functions may also be integrated into the switches 52, 54.
In the embodiment shown in
The VSM 45 is configured to provide control/management plane functionality for the virtual machines 30 and control multiple VEMs 46. The VEM 46 provides switching capability at the server 40 and operates as a data plane associated with the control plane of the VSM 45. The VSM 45 and VEM 46 operate together to form a distributed virtual switch as viewed by the management station 56. The VSM 45 and VEM 46 may also be located together in a network device (e.g., switch 52, 54, server 40 or other network device in communication with the switches 52, 54 and servers 40).
It is to be understood that the network shown in
The virtual switch 34 allows the enterprise to gain control of the cloud network access layer. All traffic entering or leaving the cloud (e.g., VPC 20 or subnet 25 in VPC) associated with the enterprise passes through the virtual switch 34. An administrator at the enterprise can access the virtual switch 34 and view the virtual Ethernet ports (interfaces), configure ACLs (Access Control Lists), manage port profiles, and perform other management functions typically performed at the access layer.
The VPC 20 may include multiple virtual switches 34 connected to a central management plane. The central management plane is assigned an elastic IP address and spawns off virtual switches 34 as virtual Ethernet interfaces are created and limits at the virtual switch are reached. The port profiles may be configured in the central management plane with the virtual switches 34 pulling port profiles on demand when the associated virtual Ethernet interfaces connect to the virtual switch. The virtual switches 34 preferably create a full mesh of VPN tunnels to form a single logical switch to prevent loops and eliminate the need for spanning tree.
Network device 70 interfaces with physical media via a plurality of linecards (network interfaces) 76. Linecards 76 may incorporate Ethernet interfaces, DSL interfaces, Gigabit Ethernet interfaces, 10-Gigabit Ethernet interfaces, SONET interfaces, etc. As packets are received, processed, and forwarded by network device 70, they may be stored in a packet memory 78. To implement functionality according to the system, linecards 76 may incorporate processing and memory resources similar to those discussed above in connection with the network device as a whole. It is to be understood that the network device 70 shown in
Although the method and apparatus have been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations made without departing from the scope of the embodiments. Accordingly, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense.
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
6490273, | Aug 05 1998 | Sprint Communications Company L.P. | Asynchronous transfer mode architecture migration |
7055171, | May 31 2000 | HEWLETT-PACKARD DEVELOPMENT COMPANY L P | Highly secure computer system architecture for a heterogeneous client environment |
7516211, | Aug 05 2003 | Cisco Technology, Inc. | Methods and apparatus to configure a communication port |
7567510, | Feb 13 2003 | Cisco Systems, Inc; Cisco Technology, Inc | Security groups |
7660265, | Oct 27 2006 | TWITTER, INC | Network packet inspection and forwarding |
8055789, | Mar 27 2007 | Amazon Technologies, Inc | Configuring intercommunications between computing nodes |
8345692, | Apr 27 2010 | Cisco Technology, Inc. | Virtual switching overlay for cloud computing |
8369333, | Oct 21 2009 | Alcatel Lucent | Method and apparatus for transparent cloud computing with a virtualized network infrastructure |
8705513, | Dec 15 2009 | AT&T Intellectual Property I, L.P. | Methods and apparatus to communicatively couple virtual private networks to virtual machines within distributive computing networks |
9338024, | Apr 11 2007 | ARRIS ENTERPRISES LLC | Extended layer two tunneling protocol applications and architectures |
20030014524, | |||
20050063395, | |||
20060230407, | |||
20070028244, | |||
20070147279, | |||
20080148386, | |||
20090063706, | |||
20090249438, | |||
20090296726, | |||
20090327462, | |||
20100027420, | |||
20100027442, | |||
20100131636, | |||
20110090911, | |||
20110134793, | |||
20110194404, | |||
20220321499, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Apr 26 2010 | SMITH, MICHAEL | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 063730 | /0016 | |
Jun 30 2021 | Cisco Technology, Inc. | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Jun 30 2021 | BIG: Entity status set to Undiscounted (note the period is included in the code). |
Jun 25 2024 | M1553: Payment of Maintenance Fee, 12th Year, Large Entity. |
Date | Maintenance Schedule |
Sep 19 2026 | 4 years fee payment window open |
Mar 19 2027 | 6 months grace period start (w surcharge) |
Sep 19 2027 | patent expiry (for year 4) |
Sep 19 2029 | 2 years to revive unintentionally abandoned end. (for year 4) |
Sep 19 2030 | 8 years fee payment window open |
Mar 19 2031 | 6 months grace period start (w surcharge) |
Sep 19 2031 | patent expiry (for year 8) |
Sep 19 2033 | 2 years to revive unintentionally abandoned end. (for year 8) |
Sep 19 2034 | 12 years fee payment window open |
Mar 19 2035 | 6 months grace period start (w surcharge) |
Sep 19 2035 | patent expiry (for year 12) |
Sep 19 2037 | 2 years to revive unintentionally abandoned end. (for year 12) |